SANS ISC InfoSec Forums

Continuing on the discussion started here regarding Incident Response and Incident Handling, let's now introduce Incident Management. One of the issues we face in IT security is that we do not always use a common set of definitions or terminologies, so I find explaining what I mean is helpful when I say Incident Management, which may be different from what others understand. Looking at a couple of industry definitions we can see that they differ somewhat, but have common themes.

From ITIL: The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.

From SEI: An incident management capability is instantiated in a set of services considered essential to protecting, defending, and sustaining an organization’s computing environment, in addition to conducting appropriate response actions.

From US-CERT: An incident management capability is the ability to provide management of computer security events and incidents. It implies end-to-end management for controlling or directing how security events and incidents should be handled. This involves defining a process to follow with supporting policies and procedures in place, assigning roles and responsibilities, having appropriate equipment, infrastructure, tools, and supporting materials ready, and having qualified staff identified and trained to perform the work in a consistent, high-quality, and repeatable way.

The definitions I work from are as follows:

Incident Response is all of the technical components required in order to identify, analyze, and contain an incident.

Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.

One definition is more related to tactical, the other operational. Response focuses on the immediate needs of incident at hand; Handling on the broader capabilities of an organization to prepare for an incident.

Incident Management is the framework and set of functions required to enable Incident Response and Incident Handling within an organization.

Information Security Incident Management (IM) is not composed of a single process, but rather includes a number of operational and technical components which provide the necessary functions in order to support the traditional “Preparation, Identification, Contain, Eradication, Recovery, Lessons Learned” incident process model, including longer term monitoring, strategic planning, and trend analysis.

I helped develop an Incident Management Maturity Model (IM-MM) which included the following domains:

Threat Environment Monitoring

Security Incident Monitoring

Vulnerability Management

Configuration Management

Log Management

Forensics:

Incident Handling

Co-ordination/Centralization

Knowledge Management

People, policy, processes, and technology in each of these domains are required to varying degrees for an organizational Incident Management capability to function correctly. Each can also be evaluated for an assessment of the organization's overall capability to resolve incidents.

Cheers,
Adrien de Beaupré, yes I do hold the GCIH certification, analyst #69. And yes, I have worked in Incident Response, Incident Handling, and Incident Management for quite some time.

The IM-MM has been released under a Creative Commons license, but not published as of yet, working on it now. Disclaimer, I am not an employee of SANS nor GIAC, and do not represent them. My opinions are my own and not my employer's nor anyone else's. And yes, I am Canadian eh!